New Python Security Updates: What You Need to Know About Versions 3.12.12, 3.11.14, 3.10.19, and 3.9.24

Following the excitement of the Python 3.14.0 release, the core development team has issued four security-focused patch releases for older stable branches: Python 3.12.12, 3.11.14, 3.10.19, and 3.9.24. These updates address critical vulnerabilities in XML handling, archive processing, and HTML parsing, along with an important third‑party dependency fix in the 3.11 branch. Below we answer the most common questions about these releases.

1. Why were these security releases issued now?

These updates are part of Python’s regular security maintenance schedule. While the team is actively developing the new 3.14 series, older versions still in wide use needed urgent fixes for several high‑impact vulnerabilities. The goal is to ensure that users of Python 3.9 through 3.12 can continue to run their applications safely without having to upgrade to an entirely new major version. Each release incorporates patches for vulnerabilities that could be exploited through maliciously crafted XML, archive files, or HTML content. By applying these fixes, the Python project maintains a strong security posture across its supported branches.

2. What XML‑related security fixes are included?

Two important XML issues are resolved across all four versions. First, the bundled libexpat library has been upgraded to version 2.7.3 to address CVE‑2025‑59375, a vulnerability that could allow an attacker to cause a denial of service through specially crafted XML input. Second, the xml.parsers.expat module now ensures that parent Expat parsers are only garbage‑collected after all subparsers created via ExternalEntityParserCreate() have been fully released. This prevents use‑after‑free bugs and improves memory management. Both fixes are critical for applications that parse untrusted XML data.

3. How have archive handling vulnerabilities been fixed?

Two archive‑related improvements are included. In tarfile, member offsets are now validated to ensure they are non‑negative, preventing potential integer underflow attacks when processing malicious tar archives. For ZIP files, the consistency of the zip64 end of central directory record is now strictly checked. Additionally, support has been added for records that contain “zip64 extensible data” when no bytes are prepended to the ZIP file. These changes make Python’s built‑in archive modules more resilient against malformed or deliberately corrupted archives that could otherwise lead to security issues.

4. What major HTML parsing changes were made in html.parser.HTMLParser?

A large number of HTML5 compliance fixes have been applied. Key changes include:

• Whitespace is no longer accepted between </ and the tag name (e.g., </ script> does not end the script section).
• Vertical tabulation (\v) and non‑ASCII whitespace characters are no longer treated as whitespace; only \t, \n, \r, \f, and space are recognized.
• The null character (U+0000) no longer prematurely ends tag names.
• Attributes and slashes after the tag name in end tags are now ignored (e.g., </script/foo=">"/>).
• Multiple slashes and whitespace between the last attribute and closing > are ignored in both start and end tags.
• Multiple equals signs between attribute name and value are no longer collapsed (e.g., <a foo==bar> produces attribute foo with value =bar).

These changes bring Python’s HTML parser into closer alignment with the official HTML5 specification, reducing the risk of misinterpretation of malformed HTML.

5. Are there any changes to how CDATA sections and comments are parsed?

Yes. The parsing of CDATA sections has been updated so that sequences like ]]> and ]] > no longer end the CDATA section — only the exact sequence ]]> triggers the end. A new private method _set_support_cdata() allows developers to specify whether <![CDATA[ should be treated as a CDATA section (when inside SVG or MathML) or as a bogus comment in the HTML namespace. Comment parsing now follows HTML5: --!> ends a comment, while -- > no longer does. Abnormally ended empty comments like <--> and <---> are now supported. These fixes eliminate several edge‑case bugs.

6. Why does Python 3.11.14 include an updated setuptools?

Python 3.11.14 is the only one of these four releases that ships an updated copy of setuptools, upgraded to version 79.0.1. This update addresses two vulnerabilities: CVE‑2025‑47273 and CVE‑2024‑6345. These flaws could allow an attacker to execute arbitrary code or cause other security issues when processing malicious packages. Since setuptools is a core tool used for package installation and distribution, it is critical that any Python runtime that bundles it remains patched. Users of Python 3.11 are strongly encouraged to upgrade to 3.11.14 to close these vulnerabilities.

7. How can I get these updates and what should I do next?

The new releases are available for download from the official Python website at python.org/downloads. You should upgrade your Python installation as soon as possible, especially if your application processes untrusted input (such as XML, archives, or HTML) or relies on setuptools (for Python 3.11 users). To upgrade, simply download the installer for your operating system and run it, or if you use a package manager (e.g., Homebrew, apt), follow its instructions to install the latest version. After upgrading, test your applications to ensure compatibility — while these are patch releases, the HTML parser changes may affect edge cases in custom parsers. Stay secure!